Privacy
This page describes how faktoora GmbH collects, uses, and protects personal data.
Data Controller
faktoora GmbH Amselweg 1, 89231 Neu-Ulm, Germany
General inquiries: info@faktoora.com
Data Protection Officer
faktoora has appointed an external Data Protection Officer:
PROLIANCE GmbH Leopoldstr. 21, 80802 Munich, Germany Email: datenschutzbeauftragter@datenschutzexperte.de
For privacy-related questions, you may also contact privacy@faktoora.com.
Data Categories
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, password hash, role, permissions | User authentication and access management |
| Invoice data | Company names, addresses, VAT IDs, line items, amounts | Invoice creation, delivery, and archival |
| Contact data | Company information, addresses, email, phone | Customer and contact management |
| Usage data | Login timestamps, activity logs, session data | Security monitoring and audit trail |
| Payment data | Subscription plan, billing information | Subscription management (card numbers are never stored by faktoora) |
Legal Basis for Processing
| Legal basis | Processing activities |
|---|---|
| Contract performance (Art. 6(1)(b) GDPR) | Account management, invoice creation and delivery, subscription management, customer data management |
| Legal obligation (Art. 6(1)(c) GDPR) | Invoice retention under German tax law (GoBD), tax reporting obligations, regulatory compliance |
| Legitimate interest (Art. 6(1)(f) GDPR) | Security monitoring, platform reliability, audit logging, error tracking |
Data Transfers
EU-Based Services
| Recipient | Purpose |
|---|---|
| Mailjet (France) | Email delivery for invoices, notifications, and correspondence |
| Peppol network (EU) | E-invoice delivery via the pan-European Peppol network |
| BanksAPI (EU) | Bank transaction matching for payment reconciliation |
Non-EU Transfers (with safeguards)
| Recipient | Purpose | Safeguard |
|---|---|---|
| Stripe (US) | Payment processing | EU Standard Contractual Clauses |
| OpenAI (US) | Optional AI-assisted product catalogue input — receives only user-provided input text, never existing product data, invoices, or customer data | Data Processing Agreement with SCCs |
Regulatory Transfers
| Recipient | Purpose |
|---|---|
| AEAT (Spain) | VeriFactu mandatory invoice registration for Spanish invoicing |
Customer-Configured Integrations
Customers may authorise connections to CRM, ERP, or accounting systems (such as Xero, DATEV, Bexio, HubSpot, and others). Data shared with these services is controlled by the customer's configuration and governed by the customer's own agreements with those providers.
Data Retention
| Data type | Retention period | Legal basis |
|---|---|---|
| Outgoing and incoming invoices | 10 years from end of calendar year | German tax law (GoBD, AO § 147) |
| Business correspondence (offers, reminders, letters) | 6 years from end of calendar year | German tax law (GoBD) |
| Bank transaction data | 10 years | German tax law |
| User accounts | Until account deletion is requested | Contract |
| Session data | 24 hours (automatic expiration) | Operational necessity |
| Activity and audit logs | Indefinite | Security and audit purposes |
| Backups | Up to 24 months | Disaster recovery |
Your Rights
Under GDPR, you have the following rights regarding your personal data:
Right of Access
You can export your data at any time through the application in machine-readable formats (CSV, XLSX, JSON, XML).
Right to Rectification
You can update your profile and account data directly within the application.
Right to Erasure
You can request deletion of your account. Please note that invoice and financial data is subject to legal retention requirements (up to 10 years under German tax law) and cannot be deleted while those obligations apply.
Right to Restriction of Processing
You may request that we restrict the processing of your data in certain circumstances.
Right to Data Portability
You can export your data in structured, commonly used formats through the application's export functionality.
Right to Object
You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.
How to Exercise Your Rights
- Self-service: Most rights can be exercised directly through the faktoora application (export, edit, delete)
- Email: privacy@faktoora.com
- DPO: datenschutzbeauftragter@datenschutzexperte.de
We respond to all requests within one month. Complex requests may be extended by up to two additional months with notice.
Automated Decision-Making
faktoora does not use automated decision-making or profiling that produces legal effects or similarly significantly affects data subjects.
Security Measures
For details on how we protect your data, see our Security Overview.
Changes to This Notice
We review this privacy information annually and will notify users of material changes through the application.